Doing business in SA? Take heed of the Protection of Personal Information Bill

The protection of personal information bill (PPIB) is a law which will be passed shortly to regulate the manner in which entities may use an individual’s personal information going forward. The purpose of the bill is to fundamentally protect a human right, which is a person’s privacy and their right to choice, and as long as we don’t have any mechanism or regulatory control over what people can do with an individual’s information, that right cannot be protected. This bill enables that right to be protected.

Deloitte and ITWeb recently conducted a survey to gauge what South African companies are doing to comply with the PPIB. The results were rather startling.

Fifty three percent of organisations have not done what is required in order to comply with the PPIB

Dean Chivers, Director at Deloitte Legal, says there are a number of potential reasons for this. There is a tendency within the South African environment to leave compliance until late in the game, and with this law still being a bill, this may be a reason why there is a delay. “We also have to accept that this piece of legislation introduces a brand new concept to South African law and this bill will not be easy”, says Chivers. It will take time for companies to understand the impact that the bill will have on their day-to-day business.

Terry Kelly, Director at Security and Privacy Services within the company’s risk advisory practice, says that organisations will not be able to comply with the bill the day it comes in or is enacted. This is a process that has to be role-planned and well-orchestrated within an organisation. The bill does allow for a one year compliance window but it is in Deloitte’s view that the period will be insufficient for the bulk of organisations, so compliance is not something that will happen overnight.

Fifty nine percent of organisations have revealed that they have not appointed a privacy officer yet

Appointing a privacy officer is a new requirement under the law. The process of appointing and training a privacy officer is another reason why organisations have not started with any of the compliance aspects of the law.

Thirty-nine percent of organisations do not understand how the PPIB will align with other pieces of legislation that are already in effect

The Consumer Protection Act currently regulates direct marketing, requiring that companies allow recipients to opt out of direct marketing. The PPIB also affects direct marketing, and will in fact introduce a higher standard in this regard.

Fifty six percent of organisations stated that their information did not flow across borders

Most companies have no idea where their information is stored. They know that they outsource to a company but where that company sends information, they have no idea. They may not be intentionally sending information across borders, but may be unintentionally allowing information to cross borders.

If we take a few examples such as cloud computing or a multi-national group, it probably happens without people really understanding it happens. Typically what will happen in a multi-national group is that there will be a continual flow of information between the various entities within the group, and that, by its very nature, will involve cross-border flows of data.

The fact that this is happening between entities within the same group doesn’t relieve each entity from complying with the data privacy laws in general and specifically the cross-border information flow rules. Although companies may not realise that they are putting information up into the cloud, there is a lot of information being put into the cloud, and there is a lot of information that is being accessed from the cloud.

People refer to cloud computing without a clear knowledge of what it actually is, and cloud computing is really just accessing a server somewhere in the world and it is often that it is outside of South Africa, so any use of cloud computing services usually involves a cross border flow of data and thus triggers the cross border rules in that regard.

It is important to understand that the PPIB involves the regulation of a lot of the data flows within an organisation, the cross-border flow being just one. Why we say it is so difficult to comply is that often the practical implications of what is being legislated are not understood.

What it is going to do for South African business? It is going to bring the country in line with global privacy compliance acts throughout the world and this will enable South African businesses to do business with other organisations internationally without having to worry about cross-border flow of information because we will have a privacy bill enacted within the country.